b"Audit Report 98-11\nIMMIGRATION AND NATURALIZATION SERVICE\nREFUGEES, ASYLUM AND PAROLE SYSTEM\nAudit Report 98-11, (3/98)\nTABLE OF CONTENTS\nEXECUTIVE SUMMARY\nFINDINGS AND RECOMMENDATIONS\nI.\xc2\xa0\xc2\xa0ACCOUNTABILITY OF ALIEN IDENTIFICATION NUMBERS\nII.\xc2\xa0\xc2\xa0INTERFACES WITH OTHER INS SYSTEMS\nIII.\xc2\xa0\xc2\xa0DATA INPUT CONTROLS\nIV.\xc2\xa0\xc2\xa0COMPUTER SECURITY\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS\nAPPENDIX - OBJECTIVE, SCOPE AND METHODOLOGY\nExecutive Summary\nThe Immigration and Naturalization Service (INS) implemented the Refugees, Asylum, and\nParole System (RAPS) in 1991 to automate alien casework management. RAPS is designed to\nautomate tracking of individuals seeking asylum, to control asylum and refugee\napplications, and to provide an efficient and effective asylum adjudication process. In\n1994, the system gained greater visibility when it was redesigned to support the\nCommissioner's Asylum Reform initiative. As of 1996, RAPS implementation costs have\namounted to almost $1.2 million.\nThe system operates from the Justice Data Center and can be accessed 24 hours a day\nfrom remote computer workstations at the four INS service centers and eight asylum\noffices. In addition, the system interfaces with other INS systems to identify and update\nalien address changes and to track alien files.\nThe objective of our audit was to determine whether RAPS satisfied user needs by\nautomating the alien casework process and to assess management controls. We found that\noverall RAPS users surveyed indicated that the system satisfied user needs by automating\nthe asylum casework process and the system reduced manual processing. However, we found\nthe following management control deficiencies:\nAlien file numbers were not always properly accounted for, permitting possible\nfraudulent record creation in RAPS using missing numbers.\nSystem interfaces were not always effective, affecting the timeliness and reliability of\ninformation used for decision making.\nData input controls, although adequate at all INS service centers, were not adequate at\nasylum offices, diminishing the reliability of alien status reporting.\nComputer security was not adequate, opening the system to internal and external attack,\nand loss of critical data.\nPrior to the preparation of the report, we met with INS management to review our\nfindings and recommendations. The report discusses conditions found, INS management\ncomments, recommendations, and a status update regarding the action performed to close the\nrecommendations. The details of our work are contained in the Findings and Recommendations\nsection of the report. Our objective, audit scope and methodology are contained in the\nAppendix.\nFINDINGS AND RECOMMENDATIONS\nWe found that RAPS satisfied user needs by automating the asylum casework process. Over\ntwo thirds of the surveyed users answered positively when asked whether RAPS automated\ntheir work, reduced manual work, and contained reliable data. We also found that data\ninput controls were adequate at all INS service centers. We did, however, identify\nmanagement control deficiencies in the areas of alien file number accountability, system\ninterfaces, data input controls at the asylum offices, and computer security. These\ndeficiencies occurred because INS personnel had either not developed or adhered to\nestablished guidelines and procedures.\nI.\xc2\xa0\xc2\xa0ACCOUNTABILITY OF ALIEN IDENTIFICATION NUMBERS\nINS assigns an alien identification number (A-number) to each new application for\nasylum. INS personnel obtain the A-number from a pre-numbered alien file folder and input\nit into RAPS. The A-number is unique to each alien record and is the primary RAPS data\nelement. Consequently, INS personnel are required to control file folders to prevent\nfraudulent alien records from being created in RAPS. Federal regulations require that\naccess to records and resources be limited to authorized individuals.\nFor two of four service centers and one of eight asylum offices, we found alien\nidentification number accountability deficiencies including:\nAt the Eastern Service Center, INS personnel did not securely store and account for\nissued and unused alien file folders.\nAt the Western Service Center, the alien file folder log was not reconciled with file\nfolder distribution sheets to ensure that the folders were properly accounted for.\nAt the Los Angeles Asylum Office, INS personnel maintained a log to track alien file\nfolder distribution. However, the log indicated that no alien file folders had been\ntracked since 1995.\nIn our judgment, these deficiencies occurred because INS personnel did not adhere to\nestablished guidelines for accounting for and physically securing pre-numbered alien file\nfolders. Effective accountability of alien identification numbers prevents INS personnel\nfrom establishing fraudulent records in RAPS.\nINS Comments:\nINS officials concurred and provided us with documentation showing the guidelines for\naccounting for and physically securing alien file folders. In addition, INS officials\nprovided us with a copy of its INSpect Guide for Records Program dated February\n1997, which is used by INS for reviewing the security of alien file folders. INS officials\nagreed that INS personnel should be reminded of these established guidelines and the\nimportance of securing alien file folders.\nRecommendation and Status\nWe recommend that the Commissioner, INS:\n1. Ensure adherence to established guidelines for accounting for and physically\nsecuring alien file folders.\nClosed. INS provided us with: (a) an INSpect Report, dated October 28, 1997,\ndocumenting a review of A-file folder accountability at the Western Service Center; (b) a\nschedule of future inspections, which includes a review of the Eastern Service Center; and\n(c) documentation demonstrating that established guidelines for accounting for and\nphysically securing alien file folders had been communicated to appropriate INS personnel.\nII. INTERFACES WITH OTHER INS SYSTEMS\nRAPS interfaces with the Computer Linked Applicant Information System (CLAIMS)1 and the Receipt and Alien File Accountability Control System\n(RAFACS).2 RAPS interfaces with CLAIMS to identify and\nupdate alien address changes, and RAFACS to track alien files. Effective system interfaces\ndepend on reliable data and effective electronic communications. Reliable data are ensured\nwhen organizations develop change management procedures to detect and correct changed or\ndeleted data. Effective communications procedures ensure that data are transmitted\npromptly and that transmissions are verified. Federal regulations state that agencies\nreasonably ensure that timely and reliable information is obtained and maintained to\nassist decision making.\nWe found CLAIMS interface deficiencies with 26 of 144 transactions including:\n20 CLAIMS alien address changes were incorrectly updated in RAPS.\nThree alien addresses in CLAIMS did not match the addresses in RAPS.\nThree cases in RAPS were closed when, in fact, CLAIMS indicated they should have been\nreopened.\nWe found RAFACS interface deficiencies including:\n79 of 196 RAFACS alien records were not updated in RAPS.\nIn our judgment, the CLAIMS interface deficiencies occurred because INS had not\ndeveloped change management procedures to detect and correct changed or deleted data. The\nRAFACS interface deficiencies occurred because INS personnel in the field did not adhere\nto established procedures to ensure that interfaced data are transmitted and received.\nEffective systems interfaces ensure that timely and reliable information is available to\nmanagers to make informed decisions.\nINS Comments:\nINS officials concurred and provided us with CLAIMS documentation showing the\nimplementation of change management procedures to detect and correct changed or deleted\ndata. Regarding RAFACS interface deficiencies, INS officials concurred that personnel did\nnot adhere to established procedures. INS officials stated that the Local Area Network\n(LAN) administrators at the asylum offices are responsible for uploading RAFACS files.\nThese administrators are contract employees whose duties are defined in their contract.\nINS officials agreed that INS' contract manager would send a reminder memorandum to the\nLAN administrators reemphasizing their responsibility to upload the RAFACS files.\nRecommendations and Status\nWe recommend that the Commissioner, INS:\n2. Develop change management procedures to detect and correct changed or deleted data.\nClosed. INS officials provided us with the implemented change management\nprocedures.\n3. Ensure adherence by INS contract personnel to established procedures to ensure that\ninterfaced data are transmitted and received.\nClosed. INS provided us with a memorandum reminding contract personnel at the\nasylum offices to follow established procedures to ensure that interfaced data are\ntransmitted and received.\nIII.\xc2\xa0\xc2\xa0DATA INPUT CONTROLS\nService Centers\nINS service center personnel create initial records and alien files by inputting data\ninto RAPS from the Form I-589, Application for Asylum. We tested data authenticity,\ncompleteness, and accuracy by comparing 4,704 randomly selected RAPS entries from the Form\nI-589 source document with downloaded data from the four INS service centers. The universe\nof data was broken down into eight individual populations representing each asylum office\njurisdiction. For each of the sampled populations, we found an acceptable one percent\nerror rate.3 We attributed the low error rate to\neffective operator data entry training, supervisory oversight, and unit quality control.\nAsylum Offices\nAsylum office personnel update RAPS data after conducting interviews with the asylum\napplicants. Data input controls require asylum personnel to ensure the accuracy and\ncompleteness of RAPS data by reviewing error and exception reports. Error and exception\nreports pinpoint data entry errors and missing data. Federal regulations require that\nreliable information be obtained and maintained, and that transactions be properly\naccounted for to prepare reliable reports.\nWe found asylum office data input control deficiencies including:\nAt all eight asylum offices, personnel were not reviewing exception reports to identify\nrejected data and ensure its correct re-entry.\nAt four of eight asylum offices, data input procedures were not consistently applied for\nentering data only after proper authorization. For example, managers at the four asylum\noffices were not informed when personnel created initial RAPS records and alien files.\nWhereas, at the remaining four asylum offices, managers required that clerks gain\nsupervisory approval prior to entering a new record in RAPS.\nIn our judgment, these data input control deficiencies occurred because INS personnel\ndid not adhere to established data input control procedures for asylum offices to review\nand follow up on RAPS database error and exception reports, and enter data only after\nproper authorization. As a result of control weaknesses identified in A-file folder\naccountability, data input controls at the asylum offices, and system interfaces, we could\nnot determine data reliability once custody of the Application for Asylum is transferred\nfrom the service centers to the individual asylum offices. However, 86 percent of users\nsurveyed in our user satisfaction survey stated that they thought that RAPS data were\nreliable. We also found that data entered at the service centers were 99 percent accurate.\nEffective data input controls prevent database and output report inaccuracies.\nINS Comments:\nINS officials concurred and stated they would send a memorandum to the asylum offices\nreminding personnel to review and follow up on exception reports and to require proper\nauthorization before entering new records into RAPS.\nRecommendation and Status\nWe recommend that the Commissioner, INS:\n4. Ensure adherence to established data input procedures to: (a) review and follow up\non RAPS exception reports, and (b) enter data only after proper authorization.\na. Closed. INS personnel provided us with documentation demonstrating that\nestablished procedures to ensure review and follow up on RAPS exception reports had been\ncommunicated to appropriate personnel.\nb. Closed. INS provided us with documentation demonstrating that established\nprocedures to enter data only after proper authorization were communicated to appropriate\npersonnel.\nIV.\xc2\xa0\xc2\xa0COMPUTER SECURITY\nThe goal of a computer security program is to protect critical data from unauthorized\nuse, deletion, and modification. An effective computer security program includes\ninformative and practical computer security and contingency plans, an analysis of the\nrisks associated with operating the information system, and computer security training for\nusers. Federal regulations require agencies to physically secure computer systems, prepare\ncomputer security and contingency plans, conduct risk analyses on critical computer\nsystems, and provide initial and refresher computer security training to protect systems\nfrom internal and external attack, and loss of critical data.\nFor the four service centers and eight asylum offices tested, we found computer\nsecurity deficiencies including:\nFour asylum offices did not close or lock doors to the computer facilities.\nOne service center and one asylum office did not record access to their facilities.\nThree service centers and six asylum offices did not prepare computer security plans.\nTwo service centers and three asylum offices did not perform risk analyses.\nOne service center and six asylum offices did not prepare contingency plans. In\naddition, two service centers and one asylum office were in the process of preparing\ncontingency plans.\nSix asylum offices did not provide initial and refresher computer security awareness\ntraining to their personnel.\nIn our judgment, the first two weaknesses occurred because INS had not followed\nestablished access control procedures. The last four deficiencies occurred because the\nDepartment of Justice had not developed and implemented effective computer security\nprogram guidance for its components, and monitored compliance. In a separate audit report,\nwe recommended the Assistant Attorney General for Administration develop and implement\neffective computer security guidance for its components, and monitor compliance.\nAccordingly, we will offer no formal recommendation on these weaknesses. Effective\ncomputer security program guidance will provide INS with guidelines to develop and manage\nan effective RAPS computer security program.\nINS Comments:\nINS officials concurred and provided us with documentation containing steps to ensure\nthat computer room doors are secured. INS personnel further stated they would send a\nmemorandum to the appropriate offices notifying them of the security weaknesses and the\ncorrective action required.\nRecommendation and Status\nWe recommend that the Commissioner, INS:\n5. Correct the access control weaknesses to ensure that: (a) computer room doors are\nclosed and locked, and (b) access to its facilities is recorded.\nClosed. INS personnel provided documentation showing that appropriate offices\nwere notified of the security weaknesses and the completion of corrective action to ensure\nthat computer room doors are closed and locked and access to facilities is recorded.\nSTATEMENT ON COMPLIANCE WITH\nLAWS AND REGULATIONS\nThe audit was conducted in accordance with generally accepted government auditing\nstandards. We audited INS' system policies and associated operational procedures. In\nconnection with the audit, and as required by the standards, we also tested transactions\nand records to obtain reasonable assurance with laws and regulations that, if not complied\nwith, we believe could have a material effect on the INS' mission.\nFederal security laws and regulations require agencies to establish controls assuring\nadequate security of information processed, transmitted, or stored in Federal automated\ninformation systems. The specific laws and regulations against which we conducted our\ntests included: (1) the Computer Security Act of 1987 (Public Law 100-235); (2) OMB\nCircular A-123, Management Accountability and Control; and (3) OMB Circular A-130,\nManagement of Federal Information Resources.\nThe results of our tests indicated that for the Headquarters and field offices tested,\nINS did not comply with the laws and regulations referred to above in the areas of alien\nfile number accountability, data input controls, system interfaces, and computer security.\nCompliance with laws and regulations applicable to the data reliability of RAPS is the\nresponsibility of INS management. Based on our limited review, we considered the data in\nRAPS reliable and did not find errors that would preclude the use of the\ncomputer-processed data.\nThe Justice Data Center management is responsible for establishing and maintaining the\noverall computer security and control environment at the data centers. A recent Department\nof Justice Annual Financial Statement Report for Fiscal Year 1996 disclosed that general\ncontrols in place at the Department's Maryland and Texas data centers were not effective\nto adequately safeguard software programs and data such as RAPS from unauthorized access\nand modification.\nBecause of the materiality of noncompliance noted in this report, we cannot provide\nassurance that INS complied with the above-cited laws and regulations with respect to\nthose offices not tested.\nAPPENDIX\nOBJECTIVES, SCOPE AND METHODOLOGY\nOBJECTIVES\nThe objective of our audit was to determine whether RAPS satisfied user needs by\nautomating the alien casework process and was managed effectively. Specifically, we\ndetermined whether: (1)\xc2\xa0alien identification numbers were properly accounted for,\n(2)\xc2\xa0INS service center and asylum office data input controls were adequate,\n(3)\xc2\xa0interfaces with the Computer Linked Applicant Information Management System\n(CLAIMS) and the Receipt and Alien File Accountability Control System (RAFACS) were\neffective, and (4)\xc2\xa0computer security was adequate.\nSCOPE AND METHODOLOGY\nThe audit was performed in accordance with generally accepted government auditing\nstandards. However, we may not be considered to be completely independent of INS, as\nrequired by the standards, because INS has reimbursed us for work that pertained to INS\nfee-supported programs. The Office of Management and Budget and the Department of Justice\n(including the OIG, the INS, and the Justice Management Division) disagree with INS\nfunding our work and are attempting to have the funds appropriated directly to the OIG. In\nFYs 1996 and 1997, the OIG received $5 million for fee-related audits, investigations, and\ninspections. The dollar amount funded approximately 14 percent of the total OIG staff\npositions. Nonetheless, we consider ourselves independent and do not believe that our\nreimbursement arrangements with INS have had any effect with regard to our conduct of this\naudit. We examined laws, policies, regulations, manuals, and memoranda; interviewed\nresponsible personnel; and performed data integrity tests of RAPS data.\nOur audit included reviews of the four INS service centers and eight asylum offices.\nThe reviews focused on general and application controls. We randomly selected the records\nused to conduct our data integrity tests using audit software. The universe of data was\nbroken down into eight individual populations. For each population, the software randomly\nselected and sampled 20-30 records. Each record contained 24 RAPS entries, for a total of\n4,704. For each of the eight sampled populations, we found an acceptable one percent error\nrate. In addition, we interviewed approximately 80 employees at INS Headquarters and field\noffices. Finally, we conducted a survey to determine the level of satisfaction among 36 of\n311 judgmentally selected RAPS users.\n1 CLAIMS is a mainframe system that records and tracks cases\nfor immigration benefits.\n2 RAFACS is a local area networked system that tracks the\nlocation of alien files within designated offices.\n3 This error rate applies only to initial record creation at\nthe service centers. It does not apply to subsequent updates performed at the asylum\noffices where we found data input control deficiencies.\n#####"